While many professionals are looking to break into the privacy profession from the get-go these days, there are others like IHS Markit Director of Regulatory Compliance Ben Westwood, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, who eased their way into things.

Westwood began his career in regulatory compliance, but it was focused on anti-money laundering and information security. It wasn't until 2012 that he jumped on the data protection path, noting he was the only internal candidate for a data protection compliance role in his company of 8,000 employees. Westwood said there was some data protection experience in his AML and infosecurity role, but he "worked with some really talented and knowledgeable people" who helped broaden a skillset that "proved invaluable over the years."

Benjamin Westwood, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP

In this Member Spotlight, Westwood speaks on some of the intricacies he sees with data protection compliance, including overlooked facets and nuances between some of the frameworks he is dealing with.

The Privacy Advisor: Most privacy professionals have been affected in some way by COVID-19. What's been the biggest challenge the pandemic has brought to your work, and how did you face it?

Westwood: I think the pandemic created compliance challenges for all privacy professionals, commonly through an increased or new collection of sensitive health data or with the switch to home working. When I think back to where we were at the end of 2019, we had transitioned the (EU General Data Protection Regulation) project into a global privacy framework and were focusing on strengthening our culture of compliance within the business. Our team hosted numerous on-site events and was really pushing the privacy agenda across the company. We were visual and present, sharing our passion for privacy with our colleagues, and this was really paying dividends. The pandemic meant we had to pivot into a different strategy, relying on digital channels and virtual events. This, of course, made things more challenging. I don’t think you can always have the same impact virtually that you can have in person.    

The Privacy Advisor: With regulatory compliance, has your team at IHS had to address any subtle differences with U.K. Data Protection Act versus GDPR compliance?

Westwood: This is a great question. When I think of this, the exemptions under the U.K. Data Protection Act spring to mind. I guess this is because of the challenges they create when trying to document process flows for global processes. For example, we have standard operating procedures covering access requests and the process flow has branching questions on locality and data types, which creates complexity. Although in reality, the U.K. exemptions didn’t change significantly from the 1998 act.  

The Privacy Advisor: Is there an area of compliance, in general, that you tend to emphasize more than others? Why so much focus?

Westwood: Yes, there is, and it stems back to my days as a compliance analyst. I think an area of compliance that is often overlooked is the metrics or reporting on compliance. I have a nerdy quote that I often repeat, "it is nearly impossible to manage, monitor, control or improve anything without measuring it." Early on in my career, I had the responsibility of developing the divisional data protection risk report. I saw firsthand the benefits that came from timely reporting on data protection events and trends. Throughout my career, I've always strived to establish a regime of regular reporting. I love a good spreadsheet.     

The Privacy Advisor: Considering your soft spot for finance, what’s an overlooked financial privacy issue in the U.K. or EU that professionals should be more in tune with?

Westwood: I’m going to have to talk about metrics again! I’m not sure if this is an overlooked privacy issue as such or if it's specific to financial services, but one area I think professionals should be more in tune with is measuring or quantifying maturity. A lot of privacy pros have stories of executives asking, "Are we compliant?" It's not a question that can easily be answered with a binary yes or no response. While we absolutely must meet certain legal minimum standards, we always look to improve beyond. It is still important to be able to provide assurance to the executives while demonstrating some actual return on investment. I’ve found that establishing a privacy maturity methodology has been a way of achieving this. With this approach, you can provide a numerical maturity "score" broken down across compliance areas. This way, I’ve been able to set targets for improving the compliance of the whole business while showing continuous improvement over time. However, this requires a significant commitment to build and establish and will often be considered a best in class rather than a critical component of your compliance framework, which might be why it’s not common practice.          

The Privacy Advisor: The privacy profession is ascending, leaving many attempting to break into the business. What’s your best advice for those trying to not only start a career in the space, but have longevity, as well?

Westwood: If you are attempting to break into the industry, my first piece of advice would be to immerse yourself in the subject matter as much as possible. Sign up for news alerts and data protection blogs from the thought leaders and other industry news outlets. If there are no open roles within your company, there will often be privacy champion networks, which I highly encourage people to participate in. Proactive participation in these networks will give you experience and exposure to the privacy function. Take advantage of any mentoring opportunities or training budget that is available and look for other learning opportunities, such as conferences and events. In my opinion, longevity requires three things: the ability to effectively communicate with stakeholders from across every area of the company, along with resilience and pragmatism.

Photo by Keagan Henman on Unsplash